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VERSION MAttKFn IIP TO SHOW CHANGES BEING MADE 



1 1. (amended) A system for maintaining security in a distributed computing 

2 environment, comprising: 

3 a policy manager for managing a security policy; and 

4 an application guard for managing access to securable components as specified by 

5 the security policy; 

6 wherein said securable components are separate and distinct from said security 

7 policy . 

1 2. (amended) The system of claim 1 [, wherein said policy manager] further 

2 compris[es]ing a management station for constructing and editing the security policy. 

1 9. (amended) The system of claim 1, wherein said system [is scalable by] further 

2 [comprising] comprises a plurality of clients, said policy manager [further-managing] 

3 manages and [distributing] distributes a customized local policy to each client, and each 

4 client includes at least one additional application guard [located on each client] for 

5 managing access to the securable components of that client as specified by each 

6 customized local policy. 

1 18. (amended) A system for controlling user access in a distributed computing 

2 environment, comprising: 

3 a global policy specifying access privileges of the user to securable components; 

4 a policy manager located on a server for managing and distributing to a client a 

5 local client policy based on the global policy [to a client], and 

6 an application guard located on the client for managing access to the securable 

7 components as specified by the local client policy. 
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1 19. (amended) The system of claim 18 further comprising at least one additional 

2 client, said policy manager further managing and distributing to each additional client a 

3 customized local policy based on the global policy [to each additional client], and 

4 comprising at least one additional application guard located on each additional client for 

5 managing access to the securable components as specified by the customized local 

6 policy. 



1 48. (amended) A method for maintaining security in a distributed computing 

2 environment, comprising the steps of: 

3 managing a policy by using a policy manager [by specifvingV to*specifv access 

4 privileges of a user to securable components; and 

5 distributing the policy to a client having an application guard[, whereby the 

6 application guard] which manages access to the securable components as 

7 specified by the policy. 

1 51. (amended) A method for maintaining security on a client in a distributed 

2 computing environment, comprising the steps of: 

3 using an application guard interface for [constructing and] issuing an 

4 authorization request for a user to gain access to securable components 

5 located on the client [using an application guard] ; 

6 using the application guard to evaluate [evaluating] the authorization request 

7 [using the application guard to] and thereby determine if the authorization 

8 request is valid or invalid; and 

9 allowing access to the user via the application guard if the evaluated authorization 

10 request was valid, and denying access to the user via the application guard 

11 if the authorization request was invalid. 
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1 53. (amended) A computer-readable medium comprising program instructions for 

2 maintaining security in a distributed computing environment by performing the steps of: 

3 managing a policy by using a policy manager [by specifying] to specify access 

4 privileges of a user to securable components; 

5 distributing the policy using the policy manager to a client having an application 

6 guard, whereby the application guard manages access to the securable 

7 components as specified by the policy; and 

8 executing said policy manager with a processor to manage and distribute the 

9 policy. 

1 59. (amended) A system [to protect computer systems against unauthorized access] 

2 for managing and enforcing complex security requirements to protect computer systems 

3 against unauthorized access in a distributed computer network comprising: 

4 a policy manager located on a server for managing and distributing a policy to a 

5 client; and 

6 an application guard located on the client, acting to grant or deny access to 

7 various components of the client, as specified by the policy. 

1 65. (amended) The system of claim 59 wherein the server includes a non- volatile 

2 memory[, where] storing the policy manager [is located] that specifies the security 

3 requirements for applications and database objects; 

4 said policy contains security rules that describe at least one constraint that 

5 constrains 

6 which applications a particular user can access and 

7 which objects within an application a user can access. 



(000707 15vl} 



35 



1 66. (amended) The system of claim 65 wherein the policy manager allows the 

2 administrator to choose whether the constraints are [effected] affected by any of 

3 time, 

4 geography, and 

5 external events. 



1 96. (amended) The system of claim 77 wherein conditions comprise constraints and 

2 the system [having] has at least facilities for defining constraints as expressions formed 

3 from operators including at least NOT, AND, and OR. ~ 



1 101. (amended) A system comprising a computer having a security policy that 

2 includes at least one or more components having at least a set of privileges that includes 

3 at least one privilege that is capable of at least: 

4 being granted to [the] a user explicitly; and 

5 being granted to a role which is granted to the user. 

1 102. (amended) The system of claim 101 wherein: 

2 the role is a named group of privileges containing at least one privilege that are 

3 granted to at least one user or to at least one other role; and 

4 the at least one user granted [to] the role is a member of the role. 
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1 104. (amended) The system of claim 101 wherein roles are organized into a role 

2 hierarchy, where parent roles are granted to children roles such that: 

3 if a parent role is granted a privilege, then the children roles are automatically 

4 granted the privilege; and 

5 if a parent role is denied a privilege, then the children roles are automatically 

6 denied the privilege. 

1 108. (amended) [The] A security system comprising a policy manager located on a 

2 computer system that includes at least: 

3 a management console or station; 

4 a database management system; 

5 an audit facility; and 

6 a distributor. 

1 109. (amended) The system of claim 108 wherein the management sfcation [further] 

2 comprises a Graphical User Interface (GUI) for users to create [creating] and customize 

3 [customizing] rules by system users. 

1 111. (amended) The system of claim 108 wherein the management station includes an 

2 application guard to allow only authorized administrators to operate the management 

3 station based on at least a local administrative policy which provides a set of policy rules 

4 specifying which users are authorized to access the management station. 

1 112. (amended) A security system comprising: 

2 at least one application guard that is stored on a computer readable medium and 

3 that guards a protected application by preventing unauthorized transactional access to at 

4 least a portion of said application. 
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1 14. (amended) The security system of claim 1 13 further comprising a distributor 
capable of distributing the application guard [on] to clients located throughout an 
enterprise. 



1 1 15. (amended) The system of claim 1 13 wherein the application guard is [integrated 

2 into] coupled to the application through an application programming interface (API) or 

3 authorization library that allows the application to request authorization services as 

4 needed through an application guard interface. 



1 116. (amended) The system of claim 113 further comprising 

2 an authorization engine that processes an authorization request;[.] 

3 a checker that parses local client policy and stores the parsed local client policy in 

4 Random Access Memory (RAM); and 

5 an evaluator that [determines whether the authorization request should be granted 

6 or denied by evaluating] evaluates the authorization request with the parsed local client 

7 policy in RAM to determine whether the authorization request should be granted or 

8 denied. 



1 118. (amended) The system of claim 1 13 further comprising a logger where at least: 

2 each authorization request is [then] recorded in an audit log; and 

3 each authorization request made at a location remote from the logger is 

4 transmitted [to the logger] via a communication interface to the logger . 



1 123. (amended) A method of using a security system comprising: 

2 using a management station , including a communication interface, to create or 

3 modify a policy rule ; and 

4 distributing the policy rule to appropriate clients via [a] the communication 

5 interface [included in the management station]. 
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1 124. (amended) The method of claim 123 further compris[es]ing reviewing and 

2 reconstructing the policy rules via a parser to make sure that the policy rules are 

3 syntactically and semantically correct according to a predefined policy language. 



1 125. (amended) The method of claim 123 further compris[es]ing determining via a 

2 differ-program the changes that were made to optimize[d] the policy, and wherein the 

3 step of distributing then distributes only the changed policy rules or local client policy to 

4 the appropriate application guards, which enforce access control to local applications and 

5 data. 

1 128. (amended) [The] A method of distributing at least one security policy rule 

2 comprising: 

3 passing the policy rule through at least 

4 a DataBase (DB) layer [(DB layer)] and 

5 an Open DataBase Connectivity [layer] (ODBC) layer ; 

6 and 

7 storing the policy rule as an enterprise policy, 
(amended) The method of claim 133 wherein 

if the administrator chooses to use the management station, then the step of 
entering includes using an edit function to enter the policy rules, and 
if the administrator chooses to use the policy loader, then the step of entering 
includes 

entering the policy rules into a file, and 
passing the file to the policy loader. 



1 135. 

2 

3 

4 

5 

6 

7 
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1 136. (amended) A method of managing policy under management services in a 

2 management station comprising: 

3 an authorized administrator logging into a policy manager; 

4 the authorized administrator [chooses between] choosing either administrative 

5 mode to manage administrative policy or enterprise mode to manage enterprise policy; 

6 presenting the administrator with menu options including 

7 navigate tree, 

8 analyze policy, 

9 edit policy, 

10 distribute policy, 

1 1 view audit log [which is a security feature that allows an] to allow the 

12 administrator to view and track authorization requests that have occurred at an 

13 application guard connected to a system, and 

14 exit. 

1 137. (amended) The method of claim 136 wherein the menu option navigate tree 

2 provides a set of edit options for an administrator that include to 

3 add, 

4 delete, and 

5 modify features; and 

6 wherein the administrator is presented with a choice of features on a server and on 

7 a client. 
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1 138. (amended) The method of claim 136 wherein the features [that] to which the 

2 administrator [has the option] can apply the edit policy option[s] include 

3 global users, 

4 global roles, 

5 directories, 

6 local roles, 

7 local users, 

8 applications, 

9 application guards, and 
10 declarations. 

1 139. (amended) The method of claim 136 wherein the menu option analyze policy 

2 allows an authorized user to analyze and view rules and policies within the enterprise 

3 policy. 

1 140. (amended) The method of claim 136 wherein the [user] ai^mstotor is presented 

2 with [an] options 

3 to search rules, and 

4 to query policy. 

1 144. (amended) The method of claim 143 wherein the features that may be edited 

2 include 

3 a rule set, 

4 access, 

5 a privilege, 

6 an object[s], 

7 a[n] user 

8 a role, and 

9 an attribute. 
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1 146. (amended) The method of claim 136 wherein upon selecting the distribute policy 

2 option 

3 a distributor optimizes enterprise policy; 

4 a differ program computes a difference between a newly optimized policy and a 

5 formerly optimized policy; 

6 the newly optimized policy is then published as optimized policy in DBMS; 

7 [committing] only the changed portions of the newly optimized policy are 

8 committed to an appropriate application guard; 

9 the application guard receives the changed portions of the newly % optimized 

10 policy; 

1 1 the application guard merges the received changed portions [newly optimized 

12 policy] into local client policy; and 

13 the local client policy is activated to work with the application guard. 
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1 147. (amended) A method of granting client access authorization comprising: 

2 using an application guard that includes at least 

3 requesting access to a software securable component associated with an 

4 application protected by [an] the application guard, wherein the application guard 

5 constructs and issues an authorization request, and 

6 evaluating the authorization request via the application guard according to 

7 its local client policy to determine whether to allow or deny the authorization 

8 request; and 

9 an audit records the authorization request in an audit log; 

10 wherein 

11 if there is an error in the authorization request, or if the request is 

12 not valid, then [the user] access is denied [access]; 

13 if the authorization request is valid, then a determination is made 

14 whether access should be granted, and 

15 if the evaluated authorization request does not deny access 

16 [for the user], then access is allowed, and 

17 if the evaluated authorization request denies access [for the 

18 user], then access is denied. 



{OOO70715vl} 



43 




1 148. (amended) The method of claim 147 wherein evaluating the authorization request 

2 includes an evaluator searching deny rules in a local policy , and 



3 if the evaluator finds a deny rule, then an evaluation is performed on any 

4 constraints on the deny ru\t x 

5 if the evaluation finds a presently valid constraint on the deny rule, 

6 then access is denied, and 

7 if the evaluation finds that all constraints on the deny rule are not 

8 presently valid, then a search for a grant rule is performed; 

9 and 

10 if no deny rules are found, then a search for a gfarirrul^?|fefformed; 

1 1 wherein after a search for a grant rule 

12 if no grant rule is found that would allow access for the user, then 

13 access is denied, and 

14 if a grant rule is found, then an evaluation is performed on any 

15 constraints in the grant rule[s] wherein 

16 if the evaluated constraint is presently validfthen access is 

17 allowed, and 

18 if the evaluated constraint is not presently valid, then access 

19 is denied. 



1 150. (amended) A method for providing a security system^ comprising: 

2 providing at least one application guard that is storable on a computer readable 

3 medium and guards a protected application by preventing unauthorized transactional 

4 access to at least a component associated with the application. 

1 151. (amended) A method for updating a security systenv, comprising: 

2 updating a set of policy rules containing at least one policy rule in a central 

3 location; 

4 generating changes to the set of policy rules resulting from the updating step; and 

5 distributing the changes [to the set of policy rules] . 
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1 154. (amended) A method for establishing a security system^ comprising: 

2 establishing a set of policy rules containing at least one policy rule in a central 

3 location; and 

4 distributing the set of policy rules for enforcement. 
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